SEC-531 First draft of Cloud Trail KMS encryption

Author: wesleung

cloudtrail.tf

@@ -9,15 +9,15 @@ module "cloudtrail" {
     aws_kms_grant.org_kms
   ]
 
-  name                          = var.cloudtrail_name
-  enable_log_file_validation    = var.cloudtrail_enable_log_file_validation
-  enable_logging                = var.cloudtrail_enable_logging
-  include_global_service_events = var.cloudtrail_include_global_service_events
-  insight_selector              = var.cloudtrail_insight_selector
-  is_multi_region_trail         = var.cloudtrail_is_multi_region_trail
-  is_organization_trail         = var.cloudtrail_is_organization_trail
-  #kms_key_arn                   = var.kms_key_id == "" ? "" : data.aws_kms_key.by_alias.arn
-  s3_bucket_name                = var.log_s3_bucket
-  s3_key_prefix                 = var.cloudtrail_s3_key_prefix
-  tags                          = var.tags
+  name                              = var.cloudtrail_name
+  enable_log_file_validation        = var.cloudtrail_enable_log_file_validation
+  enable_logging                    = var.cloudtrail_enable_logging
+  include_global_service_events     = var.cloudtrail_include_global_service_events
+  insight_selector                  = var.cloudtrail_insight_selector
+  is_multi_region_trail             = var.cloudtrail_is_multi_region_trail
+  is_organization_trail             = var.cloudtrail_is_organization_trail
+  kms_key_arn                       = var.kms_key_id == "" ? "" : data.aws_kms_key.by_alias[0].arn
+  s3_bucket_name                    = var.log_s3_bucket
+  s3_key_prefix                     = var.cloudtrail_s3_key_prefix
+  tags                              = var.tags
 }

data.tf

@@ -12,5 +12,6 @@ data "aws_regions" "enabled" {
 }
 
 data "aws_kms_key" "by_alias" {
+  count   = var.kms_key_id == "" ? 0 : 1
   key_id = var.kms_key_id
 }

modules/cloudtrail/main.tf

@@ -26,20 +26,21 @@
 #tfsec:ignore:aws-cloudtrail-enable-at-rest-encryption
 module "cloudtrail" {
   #ts:skip=AC_AWS_0448 Multi Region is enabled. Not work with Org?
-  source  = "appzen-oss/cloudtrail/aws"
+  #source  = "appzen-oss/cloudtrail/aws"
+  source  = "../../../terraform-aws-cloudtrail"
   #version = "0.22.0"
 
-  name                          = var.name
-  enable_log_file_validation    = var.enable_log_file_validation
-  include_global_service_events = var.include_global_service_events
-  is_multi_region_trail         = var.is_multi_region_trail
-  is_organization_trail         = var.is_organization_trail
-  insight_selector              = var.insight_selector
-  enable_logging                = var.enable_logging
-  kms_key_arn                   = var.kms_key_arn
-  s3_bucket_name                = var.s3_bucket_name
-  s3_key_prefix                 = var.s3_key_prefix
-  tags                          = var.tags
+  name                              = var.name
+  enable_log_file_validation        = var.enable_log_file_validation
+  include_global_service_events     = var.include_global_service_events
+  is_multi_region_trail             = var.is_multi_region_trail
+  is_organization_trail             = var.is_organization_trail
+  insight_selector                  = var.insight_selector
+  enable_logging                    = var.enable_logging
+  kms_key_arn                       = var.kms_key_arn
+  s3_bucket_name                    = var.s3_bucket_name
+  s3_key_prefix                     = var.s3_key_prefix
+  tags                              = var.tags
 }
 
 # Pass tags

modules/guardduty/main.tf

@@ -70,7 +70,24 @@ resource "aws_guardduty_detector" "self" {
     s3_logs {
       enable = true
     }
+    kubernetes {
+      audit_logs {
+        enable = true
+      }
+    }
+    malware_protection {
+      scan_ec2_instance_with_findings {
+        ebs_volumes {
+          enable = true
+        }
+      }
+    }
   }
+  #datasources {
+  #  s3_logs {
+  #    enable = true
+  #  }
+  #}
   tags = var.tags
 }
 

organization.tf

@@ -40,13 +40,25 @@ locals {
       var.enable_firewall_manager ? "fms.amazonaws.com" : "",
       var.enable_firewall_manager ? "ram.amazonaws.com" : "",
       var.enable_guardduty ? "guardduty.amazonaws.com" : "",
+      var.enable_guardduty ? "malware-protection.guardduty.amazonaws.com" : "",
       var.enable_iam_access_analyzer ? "access-analyzer.amazonaws.com" : "",
       var.enable_securityhub ? "securityhub.amazonaws.com" : "",
     ]
   )))
+  remove_nondelegated_principals = toset(compact(
+    [
+      "aws-artifact-account-sync.amazonaws.com",
+      "health.amazonaws.com",
+      "ram.amazonaws.com",
+      "malware-protection.guardduty.amazonaws.com",
+      "servicequotas.amazonaws.com",
+      "tagpolicies.tag.amazonaws.com",
+      "wellarchitected.amazonaws.com",
+    ]
+  ))
   # Final principals set with items added and removed
-  aws_service_access_principals = setsubtract(
-  local.access_principals, local.remove_access_principals)
+  aws_service_access_principals = setsubtract(local.access_principals, local.remove_access_principals)
+  aws_delegated_principals      = var.account_type == "master" ? toset(setsubtract(local.aws_service_access_principals, local.remove_nondelegated_principals)) : toset([])
   #var.enable_artifact         ? "" : "",
 
   #enabled_policy_types = toset(compact([
@@ -63,3 +75,15 @@ resource "aws_organizations_organization" "self" {
   enabled_policy_types          = data.aws_organizations_organization.self.enabled_policy_types
   feature_set                   = "ALL"
 }
+
+resource "aws_servicecatalog_organizations_access" "self" {
+  count                         = var.account_type == "master" ? 1 : 0
+  enabled = "true"
+}
+
+resource "aws_organizations_delegated_administrator" "self" {
+  for_each          = local.aws_delegated_principals
+  account_id        = var.security_administrator_account_id
+  service_principal = each.key
+  depends_on        = [aws_servicecatalog_organizations_access.self,aws_organizations_organization.self]
+}